Security Highlights

• SAS 70 Type 2 Data Center located in the United States
• Data center secured via Biometric authentication
• Data center guarded 24/7
• HIPAA compliant (45 CFR 164)
• Full SSL-EV HTTPS end-to-end transport encryption
• One way hash encrypted passwords
• Granular per-user per project access controls
• Multi-tier authorization
• Fully encrypted database
• Fully encrypted nightly backups
• Backups are all stored in encrypted distributed cloud storage

Security in the Cloud

Security is a challenging and serious issue, one that must be addressed from the initial phase of a large project, and remain a central pillar to a successful organization, and certainly not something that can be added after the fact. At Dedoose we have taken extraordinary steps to ensure the safety of your data, and we believe that we can prove our system is far safer than any other system--short working inside a locked vault with pencil and paper and a 24/7 armed guard.

Our data center is SAS 70 type 2 certified. This certification ensures compliance with NIST, HIPAA, SOX, and GLBA and is the most stringent professional security audit available. In our case, this means the staff and personal allowed into the Data Center have had extensive background checks, are authorized with multiple forms of identification including iris and fingerprint scans. In addition it validated the physical protection at the facility and security guard staff to ensure a physical compromise of the systems and/or data is incredibly unlikely. Virtual access security is accomplished in multiple steps including a private VPN connection to order to manage the servers with a separate authentication combination for the VPN, as well as each server. Our servers are accessed, configured, and maintained by our in-house and expertly trained engineering staff. We constantly keep the servers up to date and run only the very minimal set of software required to operate Dedoose. In addition, the master encryption key is extremely well guarded and is using well-known and well-tested encryption algorithms as recommended by the National Security Administration for the highest levels of security.

Traditional software runs on your local computer. This requires that your data is stored on your physical machine, the same machine that, statistics show, is likely infected with at least one form of malware/spyware even without you knowing it. This same machine is likely used to browse the Internet, thus further exposing your computer and your data to the very real threat of Internet based exploits, 0-day exploits, and more. Generally, this machine is also on a network with many other less trusted machines which also creates a possible attack vector. Most computers are woefully behind on updates and therefore ripe for exploitation. Finally almost all other software we are aware of in this field take absolutely no measures to encrypt your data. So, if your computer is lost, stolen, or compromised, it would be trivial for someone to view your data. Dedoose hopes to prove to you how very seriously we take these issues, and hopefully convince you that we are the most secure option for conducting your research.

Full Details

Although no computer system is completely secure, Dedoose incorporates several levels of industry-standard physical and electronic security measures designed to protect data used by investigators. However, data security and integrity is dependent on the level of diligence of each user. This document details some of the protocols and tools SCRC incorporates into the Dedoose application to assist users in protecting their data. Most of these tools are contained in the Dedoose Security Center. SCRC recommends that users strictly adhere to the security protocols and practices described in this document.

For each project, there is one and only one project administrator (often a research project’s principal investigator) who is responsible for project administration. SCRC provides the principal investigator a unique username and password for access to their account and project. The project administrator then arranges for separate and unique username/password combinations for each user to be linked to their project. Dedoose recommends that the username/password combinations for each user follow a protocol similar to that set by the Microsoft corporation for server security which encourages the use of strong passwords (relatively long and complex), changing passwords at regular intervals, using different passwords for different accounts, avoiding the recording of passwords in unsecure locations, never sharing passwords with others, and changing passwords immediately if there is any indication they may have been compromised.

The Dedoose Security Center allows the project administrator to create project user groups. The project user groups define all view, create, modify, and delete data access privileges for each individual user. The project administrator then assigns other project users to an appropriate group depending on their role. All data transmission between user's local computers and the server database is fully encrypted based on applicable industry standards.. Further, all project data are backed up nightly, encrypted, and stored through RackSpace secure data back-up services. The multiple levels of data encryption, encrypted data transmission, and password protections parallel the requirement, for example, that all study data are secured in a locked room in a locked file cabinet if paper, and in a password-protected file inside a password-protected computer, if electronic.

Data Communication Security:

All data communication through Dedoose occurs through a 2-lock system. First, Dedoose sets up an AES (Advanced Encryption Standard)-128 CBC (Cipher Block Chaining) Encrypted SSL (Secure Sockets Layer) tunnel using a premium SSL-EV certificate. All communication following this channel is encrypted. The user is not prompted for login information until this communication channel is established. In order to prevent transfer of login details, Dedoose employs a one-way, non-reversible encryption algorithm known as SHA-2 (Secure Hash Algorithm)—designed by the United States National Security Agency. Dedoose does not store user passwords. Rather, the system stores the known result of this algorithm against the username and password and then compares that result to the result the Dedoose client sends to the server for authentication.

Data Storage Security:

Dedoose is hosted on commercial servers with all project data backed-up, in-full nightly at approximately 1:00 a.m. PST. The servers are located in SAS 70 Type II data centers. Only SCRC’s Infrastructure management team has access to these servers as is required for system maintenance and administration. The backups are fully encrypted with AES-128 processes and then transferred to a secure RackSpace file storage system, again with a SAS 70 Type 2 certification. The encryption key used to secure the backups is known only by SCRC’s management team. The cloud-based backup file storage system incorporates the following security measures: redundant and perpetual storage, SAS 70 Type II data centers, 99.97% guaranteed up-time, 256-bit AES encryption over SSL, and HIPAA compliancy.

Data Retention:

Following the expiration of all Dedoose user licenses with authorized administrative access to a project's data on a particular client account, users can regain access to the project after re-activating their license for as long as SCRC continues to archive the project data. The following details SCRC’s data retention policy for Dedoose:

1. SCRC will retain data for two years after the expiration of all user logins.
2. Authorized users can regain access to project data during this two-year period by providing a specific written request to SCRC. Such request should be sent to: support@Dedoose.com.
3. Upon specific written request from the project administrator, SCRC will permanently delete all project data BEFORE the two-year period.
4. Within six months of either: a) the end of the two-year retention period, or b) after receiving the express written request from the project administrator, SCRC will delete all data from backup tapes.
5. SCRC may, in its sole and absolute discretion, retain project data longer than two-years upon written request from a project administrator.

Privacy Protection:

SCRC provides industry standard protection for personally identifying information. SCRC would only disclose personally identifiable information about users or information about your project to third parties in limited circumstances: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other governmental, judicial, or administrative order.

If SCRC is required by law to disclose personally identifying or project data, SCRC will attempt to provide you with notice (unless we are prohibited from doing so) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by email, if you have given us an email address, and/or by postal mail if you have provided a postal address. Even if you challenge the disclosure request, we may still be legally required to turn over the personally identifying information and/or project data.

Summary of the Dedoose 7-lock system:

1. Encrypted SSL tunnel is established for communication between Dedoose client and server (SSL AES-128).
2. Login username/password is then encrypted in a one-way Hash (SHA-2) and transmitted across the SSL tunnel.
3. Security and access privileges are set by each Dedoose account owner/project administrator on a per-project basis, via the Security Center. The Security Center allows project administrators to control exactly which information a user is allowed to view, create, edit, or delete.
4. The Dedoose Data Center follows SAS 70 Type II and HIPAA compliancy and requires multiple forms of identification for access to the facility.
5. All backups are encrypted with AES internally, transferred to RackSpace via SSL AES-128, and encrypted a second time in RackSpace’s chosen algorithm.
6. Server login is accessible only by a private VPN connection with its own SSL tunnel and separate authentication.
7. Server login is protected by windows secure login authentication which uses an AES encryption algorithm.

Data Breach Notification and Incident Response Plan:

SCRC hosts all data within the continental U.S. unless agreed upon and determined as needed on a project-by-project basis. SCRC has a systematic plan for response and notification of any breach in data security. Upon the detection of any breach in data security, SCRC technical staff, lead by the SCRC Chief Technical Officer, will immediately assess the size, scope, and severity of the breach. Following this assessment, SCRC will notify all project administrators of projects that may have been involved and communicate the response plan. Depending on the nature and cause of the breach, SCRC will take appropriate action to prevent any future breach and then, to the extent reasonably practicable, restore the integrity of all Dedoose project data that had been affected. Further details about this notification and response plan will be provided upon request.

SCRC cannot and does not guarantee complete data security and integrity for project-related data. However, the tools described above are designed to provide industry-standard security and SCRC recommends that users strictly adhere to the security protocols described in this document and are diligent in their protection of the data for which they are responsible.